Firefox phishing vulnerability discovered

Firefox phishing vulnerability discovered

Summary: A newly discovered flaw in Firefox could allow cybercriminals to take advantage of Web surfers

SHARE:
TOPICS: Security
26
A vulnerability in Firefox could make users of the open source browser more likely to fall for phishing scams.

The flaw in Mozilla Firefox 1.0, details of which were published by Secunia on Tuesday, allows malicious hackers to spoof the URL in the download dialog box which pops up when a Firefox user tries to download an item from a Web site. This flaw is caused by the dialog box incorrectly displaying long sub-domains and paths, which can be exploited to conceal the actual source of the download.

Mikko Hyppönen, director of antivirus research at F-Secure, said this bug could make Firefox users vulnerable to cybercriminals. "The most likely way we could see this exploited would be in phishing scams," said Hyppönen.

To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site.

This flaw was given a severity rating of two out of a possible five by Secunia.

David Emm, a senior technology consultant at antivirus company Kaspersky Labs, said it is unlikely that phishers will take advantage of this exploit in Firefox because Microsoft's Internet Explorer still dominates the browser market.

"I think it's unlikely that we'll see hackers rush to exploit this vulnerability," said Emm. "After all, Firefox has a much, much smaller install base than IE and it's likely that hackers will continue to pay more attention to [IE] instead."

This may change in the future as Firefox has attracted a lot of interest in the past few months. A survey at the end of November found that Mozilla-based browsers, including Firefox, accounted for 7.4 percent of browsers in November 2004, up 5 percent from May.

The download vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.

The Secunia advisory and Mozilla bug report are available online.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • A security vulnerability..??? this is a ridiculous story..!!

    "To fall victim to such a scam, a Firefox user would have to click on a link in an email that pointed to a spoofed Web site and then download malware from the site, which would appear to be downloaded from a legitimate site."

    so you "have" to be at a spoofed site already...then click a link to download files from a spoofed download area..... where is the problem... i hardly think that a spoofed site would link you to a legit download area...
    anonymous
  • This article by Ingrid Marson and the opinions of the analysts (Mikko Hypp
    anonymous
  • Ooooh.. I'm frightened!! I guess I'll switch back to the M$ (and your?) favorite Internet Exploder again and wait for the spam and pop-up to get on my nerves again.
    I'm sure this is a REAL problem with FireFox, especially when I read "No solution is available at present, but Mozilla developers plan to fix this bug in an upcoming version of the product.", as this is what always happened, late fixes!!
    Have a look at www.spreadfirefox.com and see how they are SO scared because of this security issue.

    I guess you miss typed the title after the "Massive IE phishing exploit discovered" link to the article shown down!

    Try again.. :-)
    anonymous
  • Microsoft is waiting for one person to be caught in the scam to say TOLD YOU open source is more expensive, it jjust cost her 10 000 dollars because she chose firefox. Firefox, fix it quick!

    Ps Firefox users are must smarter than IE users, they chose the better browser after all .

    LONG LIVE the FOX.
    anonymous
  • Big deal! This is only one problem compared to the thousands IE has. FireFox is the way forward, microsoft will be whiped soon.
    anonymous
  • I agree, Pete, that the vulnerability in Firefox isn't a huge threat --- that's why we reported that Secunia gave it a severity rating of two out of a possible five.

    We certainly aren't suggesting that this bug should deter people from running Firefox. But given the serious threat posed by phishing, I believe we were right to run the story.

    Thanks for your interest,

    Graeme
    anonymous
  • If this vulnerability had been identified in IE, the anti Microsoft community would no doubt be quick to criticise the product as insecure.

    Users are smart enough to make up their own minds about which web-browser to use - and the more information that is available about all products on the market, including open source effots, the better.

    Over-zealous open source fanatics should concentrate on improving their products rather than complaining about the coverage they get, and leave it to end users to determine how relevant the product really is to their needs.
    anonymous
  • Ouch! 'Users are smart enough to choose their own browser'??
    Most users couldn't spell 'browser' without help. The only reason so many people use IE is because it is built-in to the operating system that was on the PC they bought, and no other reason. Since 1995 nobody has once asked me for a different browser to IE, it wouldn't even cross there minds that its possible.
    Im not for/against IE, and i've only just started using FIREFOX as well as IE.
    People get very defensive over these things. Just enjoy the technology! U cud b livin in a cave instead ;)
    anonymous
  • There is no reason to believe that Firefox is actually any more secure than IE. It is just [currently] less targetted for attack. Firefox may offer some "security through obscurity", but once it gets to any sort of critical mass then it will be targetted (and since the hackers have the source code their life will be that much easier (and when a patched version is released it will be easy for them to see where the vulnerability is and target older versions).
    anonymous
  • Lets face it, not everyone out there is a Web Site Administratior, Web Page Developer, Internet Security analyst or Cyber Geek.

    Therefore, yes, millions of people in the world are ignorant when it comes to computing.

    I would venture to guess that 99 percent of anyone you asked doesn't know what open source means, or how or why it is different from IE.

    Not to mention the fact, that millions still think emails that 'look' like they are from their credit card company or other financial institution are real. Which is where the problem is. Not with techies or someone who has a clue about the reality of computing.

    'We' may be protected because 'we' choose not to click a link to 'verify our financial information'. But many don't know that these are phishing scams... and previous 'advice' from internet security persons like Paypal and Citi Bank say to 'Check the URL' to verify authenticity.

    For the ignorant, this is where this flaw is important, and the URL will appear real.

    Thats the gist of it. So, for everyone who thinks is absurd that anyone would click a link to verify this or authenticate that, remember, not everyone is a Web Administrator etc.

    Do them a favor and educate them rather than scoffing at how infathomable and unreportable this story by zdnet is!

    cheers.

    BB
    anonymous
  • Critical mass FUD is the typical reaction of the uninformed. If critical mass (certainly when combined with access to the source) was that important for getting succesfully attacked in large numbers then why don't we see massive and succesfull attacks on all those other Open Source products that run the Internet today in enormous numbers?

    I sometimes find myself wishing that all Open Source products would stop to function for just one hour all at the same time. Perhaps then more people will start to realize how much Open Source is already part of todays life.

    Another thing. Spammers, phishers, etc don't aim for a 100%, 10% or even a 1% succes rate. Since the market penetration of non-Microsoft browsers has been more then 1% for many years now. How come those poor non-Microsoft browser users haven't been slaughtered month in, month out? I mean, surely those spammers and phishers will go for the easy prey, whatever they are. And believe me, even just 1% of just 5% of the entire Internet community would be a dream come true for them.

    Riddle me this. In many companies there are people using IE with very expensive security hardware and software maintained by so called experts sitting between them and the Internet and they're not amused. While at home, for those that don't use IE, there's maybe $40 of equipment between them and the Internet and they're amused. How come?

    There's critical mass alright. But it's about the FUD soap box that's about to explode. Followed soon after with a critical mass of consumers and CFO's starting to ask difficult questions to there former-to-be IT salesmen, IT advisors, IT consultants and IT managers.

    Basicly a whole industry used to overcharging is going to be replaced by an industry that charges fairly. And the only way to become part of that new industry is to sell something different then those products with built-in overcharging capabilities. Things are starting to get interesting.
    anonymous
  • Firefox without a doubt, is the best and most secure browser on the market today, and no matter what propaganda is spread throughout the net regarding its security in a negative way, those who actually KNOW will continue to use Firefox and wait until the patch is complete, not actually even thinking nor caring whether it is released or not while using it.

    What is not mentioned however, is the simple fact Firefox running on Linux is quite a bit more secure than implementing it within oh..lets say...XP. For those window injected scripts, one can also mistakenly download forcibly malicious scripts as well, which in most cases, are going to directly affect your Windows OS, and not your Linux OS.
    That would be almost ten fold if you by chance were actually using IE as example.

    There are plenty of examples of hidden WIN32.exe links on web sites as well, in which IE will be more than happy to inject your very expensive Microsoft OS without even batting a eye, or at least giving you warning. But...of course, Firefox is growing in popularity, so let us bash them with one particular user induced error of ignorance instead, blaming it actually on the browser, and not the people using it (where the blame actually should be directed).

    Perhaps more information regarding fact instead of fiction should be presented, rather than blaming security flaws of one of particular browser that used to have a monopoly on the market as a victim to such devious implementations of code because of popularity, rather than the simple fact it is in reality, a open window to your whole Windows operating system when proper measures are not taken to plug all of those holes, even AFTER the SP2 upgrade, which was basically billed s the 'security fix to end all security problems'.

    Education toward the matter would help as well, properly documenting information in prevention to people that clicking on each and every link on the net or in your email is never a good idea. However, once again, rather than directing the story to prevention and education, it is seemingly disguised as a resentful demonstration toward stifling open source movements such as the Firefox browser glorifies.

    I find it quite ironic in the same setting, that a multi-billion dollar corporation cannot provide security measures for their OS nor their in house programs, without a outside developer or software company providing that protection at a sizeable cost, while open source provides the best overall protection at no cost.

    With that being said, this little "scare" is nothing more than a opportune moment to try and shed negative light upon a growing browser and growing movement known as open source, and maybe one day, this country will figure out that the only reason security is needed, is because they are somewhere they should not be in the first place.
    anonymous
  • can't believe it!
    But where's the PoC? :)
    anonymous
  • Firefox is undoubtedly a better and more secure browser than IE, but any site that reports on flaws or possible flaws in IE -- and gives Firefox coverage -- should report on Firefox's flaws too.

    Essentially, Firefox is better but it's not perfect, and anyone who thinks or claims it is is as bad as anyone who gets taken in by Gates' marketing spiel.
    anonymous
  • I've used Firefox since the Phoenix days. Noone ever asked me what/which browser I like. Oh Well. Once again not everyone's voice is heard, unless you scream. As far as a "security hole" it should be more of a User Vulnerability, as only a dumb person goes clickin links in emails from odd places, last I knew. Granted, it's nice to KNOW, but come on. Most of these "announcements" just give the Phishermen a REASON to try to exploit it. Perhaps I just have learned my lessons long ago by helping people who are dumb already. One does learn what NOT to do from listening how other people screw up their machines. Muahahaa
    anonymous
  • I use both Firefox and IE, and while IE is plauged on an ancient Egyptian scale, let's just remember that IE makes up a huge percentage of the market right now because it is shipped with Windoze. Because of that fact slimeball phishers and script-kiddies are going to focus the most attention at IE because they have a higher success rate there. People seem to think that because Firefox has no blatant (as of yet) secuirty holes that it's the browser to end all browsers and everyone else should just hang up their gloves. If the "hacker" (and I use that term loosely) community focused as much attention at Firefox as they did other browsers, you can rest assured that vulnerabilities would be found or created. Open source makes that job just that much easier. In the end it basically comes down to who can or cannot be duped. I think simply personal preference will determine the market. Peace.
    anonymous
  • Firefox will always be more secure than Internet Explorer because it isn't tightly integrated with Windows as IE is.
    Using IE is risking to lose all control of the machine just by surfing even accidentally the wrong web page.
    While Firefox will never download/install something without the user knowing. And being open source is as helpful for hackers as it is for programmers who make Firefox better everyday.
    anonymous
  • It doesn't matter at all if only a couple of us use Firefox/Mozilla for a better browsing. People have an option and the right to choose which software to use to make their lives easier. But eventually they will have problems related to security/virus/spies/younameit with IE (and perhaps with Firefox too), so it's not a big deal. Which one will they end using is just a matter of how much problems they had with IE to look at Firefox.
    anonymous
  • I think it's important to put things in context and this small flaw is nothing compared to the absurdly huge number of easily exploitable flaws in IE.

    The average user who's running an unpatched old version of IE would be so much better off in terms of security if switching to FireFox.

    Anyway, FireFox is open source and I expect a fixed release to appear soon.

    Spread the word - FireFox rules
    anonymous
  • The simple solution is often the best,JUST stay off the fake sites.If you are concerned,dont download anything-i surf with NO ANTI VIRUS and an edge F / W ,apart from the consistent supply of tracking cookies that Spybot S&D software catches i get a flash now and again from a passing virus-sweep machine with the second pc after surfing and im clean and ready to go again.I also walk to the bank.Malware usually needs to be downloaded,just watch your clicks and try the long URL extension on the Mozilla site,it at least tells you what the machines site COULD be.
    anonymous